[cfe-commits] r146240 - in /cfe/trunk: include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h lib/StaticAnalyzer/Core/SValBuilder.cpp lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp test/Analysis/taint-tester.c

Anna Zaks ganna at apple.com
Thu Dec 8 19:34:03 PST 2011 

Author: zaks
Date: Thu Dec  8 21:34:02 2011
New Revision: 146240

URL: http://llvm.org/viewvc/llvm-project?rev=146240&view=rev
Log:
[analyzer] Fix inconsistency on when SValBuilder assumes that 2
types are equivalent.

+ A taint test which tests bitwise operations and which was
triggering an assertion due to presence of the integer to integer cast.

Modified:
    cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
    cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp
    cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
    cfe/trunk/test/Analysis/taint-tester.c

Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h?rev=146240&r1=146239&r2=146240&view=diff
==============================================================================
--- cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h (original)
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h Thu Dec  8 21:34:02 2011
@@ -68,6 +68,17 @@
 
   virtual ~SValBuilder() {}
 
+  bool haveSameType(const SymExpr *Sym1, const SymExpr *Sym2) {
+    return haveSameType(Sym1->getType(Context), Sym2->getType(Context));
+  }
+
+  bool haveSameType(QualType Ty1, QualType Ty2) {
+    // FIXME: Remove the second disjunct when we support symbolic
+    // truncation/extension.
+    return (Context.getCanonicalType(Ty1) == Context.getCanonicalType(Ty2) ||
+            (Ty2->isIntegerType() && Ty2->isIntegerType()));
+  }
+
   SVal evalCast(SVal val, QualType castTy, QualType originalType);
   
   virtual SVal evalMinus(NonLoc val) = 0;

Modified: cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp?rev=146240&r1=146239&r2=146240&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp Thu Dec  8 21:34:02 2011
@@ -37,7 +37,6 @@
   return UnknownVal();
 }
 
-
 NonLoc SValBuilder::makeNonLoc(const SymExpr *lhs, BinaryOperator::Opcode op,
                                 const llvm::APSInt& rhs, QualType type) {
   // The Environment ensures we always get a persistent APSInt in
@@ -51,7 +50,7 @@
 NonLoc SValBuilder::makeNonLoc(const SymExpr *lhs, BinaryOperator::Opcode op,
                                const SymExpr *rhs, QualType type) {
   assert(lhs && rhs);
-  assert(SymMgr.getType(lhs) == SymMgr.getType(rhs));
+  assert(haveSameType(lhs->getType(Context), rhs->getType(Context)) == true);
   assert(!Loc::isLocType(type));
   return nonloc::SymbolVal(SymMgr.getSymSymExpr(lhs, op, rhs, type));
 }

Modified: cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp?rev=146240&r1=146239&r2=146240&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp Thu Dec  8 21:34:02 2011
@@ -80,16 +80,14 @@
 
   if (const SymExpr *se = val.getAsSymbolicExpression()) {
     QualType T = Context.getCanonicalType(se->getType(Context));
-    if (T == Context.getCanonicalType(castTy))
-      return val;
-    
+    // If types are the same or both are integers, ignore the cast.
     // FIXME: Remove this hack when we support symbolic truncation/extension.
     // HACK: If both castTy and T are integers, ignore the cast.  This is
     // not a permanent solution.  Eventually we want to precisely handle
     // extension/truncation of symbolic integers.  This prevents us from losing
     // precision when we assign 'x = y' and 'y' is symbolic and x and y are
     // different integer types.
-    if (T->isIntegerType() && castTy->isIntegerType())
+   if (haveSameType(T, castTy))
       return val;
 
     if (!isLocType)
@@ -483,7 +481,7 @@
         // Otherwise, make a SymbolVal out of the expression.
         return MakeSymIntVal(symIntExpr, op, rhsInt->getValue(), resultTy);
 
-      // LHS is a simple symbol.
+      // LHS is a simple symbol (not a symbolic expression).
       } else {
         nonloc::SymbolVal *slhs = cast<nonloc::SymbolVal>(&lhs);
         SymbolRef Sym = slhs->getSymbol();

Modified: cfe/trunk/test/Analysis/taint-tester.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-tester.c?rev=146240&r1=146239&r2=146240&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-tester.c (original)
+++ cfe/trunk/test/Analysis/taint-tester.c Thu Dec  8 21:34:02 2011
@@ -55,3 +55,18 @@
   int ty = xy.y; // FIXME: This should be tainted as well.
   char ntz = xy.z;// no warning
 }
+
+void BitwiseOp(int in, char inn) {
+  // Taint on bitwise operations, integer to integer cast.
+  int m;
+  int x = 0;
+  scanf("%d", &x);
+  int y = (in << (x << in)) * 5;// expected-warning 4 {{tainted}}
+  // The next line tests integer to integer cast.
+  int z = y & inn; // expected-warning 2 {{tainted}}
+  if (y == 5) // expected-warning 2 {{tainted}}
+    m = z | z;// expected-warning 4 {{tainted}}
+  else
+    m = inn;
+  int mm = m; // expected-warning   {{tainted}}
+}

More information about the cfe-commits mailing list